Snort mailing list archives

Port scans detected behind Firewall?

From: "James Bruce" <jbruce () unitedscience com>
Date: Mon, 13 Jun 2005 16:02:32 -0500


Hello,
        I'm not sure this is the right place to ask this but I have a
another newb question. I don't fully understand how this is happening.
We have a Cisco pix 515 firewall, with all incoming ports closed and
some outbound ports open (80,25 etc..) We also have snort and squid
installed on a W2K server with a single interface behind the firewall.
All network users use the squid proxy for internet access. Snort is
picking up port scans from outside ip addresses. My question is how are
these sites port scanning my proxy server? I know some of these port
scans are from audio streaming sites looking for a hole but shouldn't
the firewall stop these port scans from reaching the proxy?? I'm sure
I'm missing something simple here. Please post your thoughts. Thank you
James

Here is the snort log: 192.168.0.6 is our proxy. Snort's threshold value
for # or ports is set to 20.

--- Last alerts ---

06/13-15:20:57.618914  [**] [117:1:1] (spp_portscan2) Portscan detected
from 192.168.0.7: 1 targets 21 ports in 12 seconds [**] {UDP}
192.168.0.7:53 -> 192.168.0.6:8398 06/13-15:29:17.827235  [**] [117:1:1]
(spp_portscan2) Portscan detected from 216.236.239.10: 1 targets 21
ports in 2 seconds [**] {TCP} 216.236.239.10:80 -> 192.168.0.6:10250
06/13-15:29:43.021986  [**] [117:1:1] (spp_portscan2) Portscan detected
from 204.227.127.209: 1 targets 21 ports in 1 seconds [**] {TCP}
204.227.127.209:80 -> 192.168.0.6:11423 06/13-15:30:54.461331  [**]
[117:1:1] (spp_portscan2) Portscan detected from 207.230.154.176: 1
targets 21 ports in 1 seconds [**] {TCP} 207.230.154.176:80 ->
192.168.0.6:11958 06/13-15:34:40.466430  [**] [117:1:1] (spp_portscan2)
Portscan detected from 192.168.0.175: 6 targets 8 ports in 45 seconds
[**] {TCP} 192.168.0.175:3903 -> 69.28.176.139:554 06/13-15:34:51.430731
[**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.0.175: 6
targets 6 ports in 10 seconds [**] {TCP} 192.168.0.175:3915 ->
69.28.151.234:1755 06/13-15:41:14.616486  [**] [117:1:1] (spp_portscan2)
Portscan detected from 216.236.239.10: 1 targets 21 ports in 32 seconds
[**] {TCP} 216.236.239.10:80 -> 192.168.0.6:15252 06/13-15:45:14.946210
[**] [117:1:1] (spp_portscan2) Portscan detected from 204.227.127.209: 1
targets 21 ports in 2 seconds [**] {TCP} 204.227.127.209:80 ->
192.168.0.6:16104 06/13-15:47:20.851468  [**] [117:1:1] (spp_portscan2)
Portscan detected from 192.168.0.144: 6 targets 6 ports in 39 seconds
[**] {TCP} 192.168.0.144:4119 -> 64.12.37.89:80 06/13-15:51:26.273253
[**] [117:1:1] (spp_portscan2) Portscan detected from 216.236.239.10: 1
targets 21 ports in 2 seconds [**] {TCP} 216.236.239.10:80 ->
192.168.0.6:17208

-- END OF LOG ---


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Port scans detected behind Firewall? James Bruce (Jun 13)
- Re: Port scans detected behind Firewall? Matt Kettler (Jun 13)